Protect gateway from format-string crashes in data

As a common security measure, printf-style formatting codes are
not allowed to be directly interpreted from a writable segment.
The gateway code currently has the following function call:

osrfLogActivity( OSRF_LOG_MARK, act->buf );

This is a variadic function which expects the 'act->buf' position
to contain a format string and any trailing arguments to be the
values passed to the formatter.  Since act->buf is the value of
what we passed in, some data inadvertantly contains format strings,
and since it is a writable segment, the program crashes.  Here is
an example of a crash-causing call:

http://localhost/osrf-gateway-v1?service=test&method=test&param=%22%251n%22

The param is interpreted as "%1n" and abruptly fails.

The simple solution is to include a formatter so that our param gets
demoted to being mere data, i.e.:

osrfLogActivity( OSRF_LOG_MARK, "%s", act->buf );

Signed-off-by: Dan Wells <dbw2@calvin.edu>
Signed-off-by: Dan Scott <dscott@laurentian.ca>

diff --git a/src/gateway/osrf_json_gateway.c b/src/gateway/osrf_json_gateway.c
index 5282972..53094e3 100644 (file)
--- a/src/gateway/osrf_json_gateway.c
+++ b/src/gateway/osrf_json_gateway.c
@@ -300,7 +300,7 @@ static int osrf_json_gateway_method_handler (request_rec *r) {
                        }
                }
 
-               osrfLogActivity( OSRF_LOG_MARK, act->buf );
+               osrfLogActivity( OSRF_LOG_MARK, "%s", act->buf );
                buffer_free(act);
                /* ----------------------------------------------------------------- */